Rule java:S2629 not reporting the problems

rule java:S2629 not reporting the problems properly
we are using the sonarqube 9.5 developer edition the rule java:S2629 not reporting the problems
this commonly occurring performance issue can be reported upon and highlighted appropriately to developers as part of the quality scan

If I will search through the codebase with the following regular expression: log.*+ (case insensitive) it will show you a lot of hits that the rule should match

please find the attached screenshot for your reference

image719×137 6.82 KB

but as I pointed out that’s a marker for a different code smell - not the broken one
According to the rule any code like this:

should fail

Hey there.

Thanks for the feedback. Let me recommend you take a look at this post:

Specifically, we need a self-contained text-based sample of code that reproduces the issue rather than a screenshot.

Thanks!

Hi
the below is the text and this rule also not working
Please check once and help me

A.logger.log(Level.DEBUG, "Something went wrong: " + message);
B.logger.fine("An exception occurred with message: " + message);
C.LOG.error("Unable to open file " + csvPath, e);

@Colin Could you please check once and help me on it ASAP.

@Colin Any update on my request it is blocking our development
Please help me on it ASAP.

Hi Team,

Please help me on my issue it is impacting our code and security gate.

Regards,
Naren Singamaneni

Hi Team,

Please any one check my issue and help me on it, it’s been pending from long back still we are waiting for solution.
If any additional details required please let us know.

Regards,
Naren Singamaneni.

Hey @narendrasingamaneni

Since all the necessary information has been included, we’ve flagged this for attention by an expert. This means that somebody will look at your report, maybe ask some follow-up questions, and try and determine if it’s really a false-positive that should be fixed.

This review could be done hours, days, or even weeks from now. If it takes a while – it doesn’t mean your report isn’t important to us, it just means that our teams are already hard-at-work developing new language analysis features, and your report is in the queue.

If you’re using SonarQube or SonarCloud – an issue administrator can always mark an issue as a false-positive in the UI (this also suppresses it in SonarLint when using Connected Mode). The rule can also be disabled in your Quality Profile if it’s particularly noisy.

Please do not continue to bump this thread.

Hi Narendra, allow me to jump in to get some clarification, so that we can eventually work on this.
I am not sure I understood what is the issue that you are having, can you confirm that you are expecting the rule to raise issues on the example that you gave us?

A.logger.log(Level.DEBUG, "Something went wrong: " + message);
B.logger.fine("An exception occurred with message: " + message);
C.LOG.error("Unable to open file " + csvPath, e);

So on the lines of code above, you would expect an issue to be raised, but that does not happen?

Also it would be great if you could provide a snippet of code that I could just copy and paste to reproduce your issue, since it is hard for me to figure out which logger library you are using, where does the variable message come from, etcetera.

Thank you!

Hi Leonardo. We’re not able to paste the exact code due to organisational constraints, but here’s an essential example of an instance of where we see the rule not being reported and should give you an idea of the source:

package a.b.c;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

public class A extends B implements C {
		
	private static final Logger LOG = LoggerFactory.getLogger(A.class);

	public void quoteInputToCart()
	{
		try
		{
			String dynamicQuoteInputValue = "sample");		
			LOG.debug("The value of dynamicQuoteFields :- " + dynamicQuoteInputValue);
		}
		catch (JsonProcessingException e)
		{
			...
		}
	}
}

Hi Team,

Please respond any one , we are facing this issue form long back.

Regards,
Naren SIngamaneni.

Hi @Leonardo_Pilastri @Colin
Please help me to resolve my issue.
It is pending from long back.

Regards,
Naren Singamaneni.

Hi All,

No one not responding it’s almost month completed, But no one not responding please let us know.

Regards,
Naren Singamaneni.

Hello @narendrasingamaneni ,

This forum is not aimed at providing on-demand support. There are no expectations in terms of giving you an answer in short delays, and threads are handled on a best-effort basis. Sometimes it can take a day (especially when there is a lot of info or the problem is simple), sometimes months. Please refrain yourselves from such repetitive pings. We have seen your numerous messages. If you need quick and strong support, please consider opting for our commercial support offering.

Now, your code snippet does not compiles. Please make a self-contain reproducer that would reproduce the issue (meaning, a reproducer that would NOT raise an issue by rule S2629, while it should have been) so we can investigate what is happening.

On my side, I tried the following code snippet, adapted from yours, and I do see an issue being raised.

class A {

  private static final org.slf4j.Logger LOG = org.slf4j.LoggerFactory.getLogger(A.class);

  public void quoteInputToCart() {
    try {
      String dynamicQuoteInputValue = foo("sample");
      LOG.debug("The value of dynamicQuoteFields :- " + dynamicQuoteInputValue); // Issue by S2629 raised here
    } catch (JsonProcessingException e) {
      // ...
    }
  }

  static String foo(String string) throws JsonProcessingException {
    return null;
  }

  static class JsonProcessingException extends Exception {
  }
}

Finally, if calls to logs are not detected during your analysis, can you please make sure that slf4j dependencies are provided as part of the classpath during analysis? Also, how are you analyzing your project? If you are not using maven or gradle scanner, it’s likely that you might have misconfigured your dependencies binaries, leading to such problems.

Hope this helps,
Michael

Hi Michael,
We have created a java class SLF4jSonar.java and used slf4j-api-1.7.30.jar for loggers.

The class SLF4jSonar.java uses slf4J for the loggers. Version of slf4j jar used at location hybris\bin\platform\ext\core\lib\slf4j-api-1.7.30.jar is defined as
Jar Name: slf4j-api-1.7.30.jar
<slf4j.version>1.7.30</slf4j.version>
We do not see any dependencies defined for log4j or any other API in pom xml file of this jar.

Pl find below the sonar report for this file:

SLF4jSonarResult1031×505 42.9 KB

Pl find the attached SLF4jSonar.txt (changed ext from .java to .txt to enable attachemnt).

SLF4jSonar.txt (1.5 KB)

Pl provide your view and comments.

Thanks
Naresh Sahu

Hi Michael,
Putting some more information to my above post:
SAP Hybris platform uses log4j-1.2-api-2.1.jar also for logging purpose.
Thanks
Naresh Sahu

Hi Michael,

Additionally, we are using SAP Commerce Cloud (SAP Hybris) and this platform uses ANT as a build tool. We are not using gradle or maven as build framework.
Therfore the dependencies are intenally defined and controlled by ant fremework and we do not have much control in customizing any such dependencies or build framework.

Regarding Sonar, we are using the prepare analysis on SonarQube for project scanning and service connection to connect the SonarQube serverwe gave properties for exclusions and inclusions in advance propertieswe are using run code analysis for run the code analysis in sonarqube server we are using the publish the quality-gate to publish the report in sonarqube dashboard
I am attaching the screen shot of sonar pipelines used in sonar.
Thanks
Naresh Sahu